Introduction

This document describes the feature matrix for the FlexConnect feature on the Wireless LAN Controller (WLC). This feature matrix applies to Cisco Unified Wireless Network (CUWN) Release 7.0.116 and later.

Note: New features are added to FlexConnect with every new release. Review the release notes for the latest details.

Note: Prior to Release 7.2, FlexConnect was called Hybrid REAP (HREAP). It is now always referred as Flexconnect.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Control and Provisioning of Wireless Access Points (CAPWAP) protocol

Configuration of lightweight Access Points (APs) and Cisco WLCs

Components Used

The information in this document is based on CUWN Releases 7.0.116.0 and later. This article has been updated with Release 8.0.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

FlexConnect

FlexConnect is a wireless solution for branch office and remote office deployments. It enables you to configure and control APs in a branch or remote office from the corporate office through a WAN link without the deployment of a controller in each office. The FlexConnect APs can switch client data traffic locally and perform client authentication locally. When they are connected to the controller, they can also send traffic back to the controller. FlexConnect is only supported on these components:

FlexConnect local authentication is useful where you cannot maintain a remote office setup with a minimum bandwidth of 128 kb/s and a round-trip latency of no greater than 100 ms. The maximum tolerated latency for FlexConnect is 300 ms, regardless of the features that are used.

The next section outlines the FlexConnect Feature Matrix.

Note: Pre-802, 11n APs, such as 1130 or 1240, are still supported by later code. However, these APs do not receive new features as of Release 7.3. Therefore, these APs do not support FlexConnect features that appear after Release 7.3.

FlexConnect Feature Matrix - Legacy and New Features in Release 7.0.116 and Later

Security - Client

Security support on FlexConnect varies with different modes and states. This table summarizes the security features that are supported:

WAN Up (Central Switching)

WAN Up (Local Switching)

WAN Up (Local Switching, Local Authorization)

WAN Down (Standalone)

Open/Static WEP

Yes

Yes

Yes

Yes

WPA-PSK

Yes

Yes

Yes

Yes

802.1x (WPA/WPA2)

Yes

Yes

Yes

Yes

MAC filter Authentication

Yes

Yes

No

No

CCKM Fast Roaming

Yes

Yes

Yes

Yes, for connected clients. No, for new clients.

Security - Infrastructure

WAN Up (Central Switching)

WAN Up (Local Switching)

WAN Down (Standalone)

Data DTLS Encryption

Yes

N/A

N/A

Local EAP (7.0 to 7.4)

Yes (LEAP/EAP-FAST)

Yes (LEAP/EAP-FAST)

Yes (LEAP/EAP-FAST)

LocaL EAP (7.5 and later)

Yes (LEAP/EAP-FAST/PEAP/EAP-TLS)

Yes (LEAP/EAP-FAST/PEAP/EAP-TLS)

Yes (LEAP/EAP-FAST/PEAP/EAP-TLS)

Backup Radius

Yes (7.0.116)

Yes (7.0.116)

Yes

MIC

Yes

Yes

Not applicable

Security

Security support on FlexConnect varies with different modes and states. This table summarizes the legacy and new security features supported with WLC Release 7.0.116.0 and later:

WAN Up (Central Switching)

WAN Up (Local Switching)

WAN Up (Local Switching, Local Authorization)

WAN Down (Standalone)

Adaptive Wireless Intrusion Prevention (aWIPS)

Yes

Yes

Yes

No

Rogue, Intrusion Detection (IDS)

Yes

Yes

Yes

No

Management Frame Protection (MFP) (Client, Infrastructure)

Yes

Yes

Yes

No

802.11w "MFP"

Yes (7.5)

Yes (7.5)

Yes (7.5)

Yes (7.5)

802.11r Fast Transition

Yes

Yes

Yes

No

Self-Signed Certificate (SSC)

Yes

Yes

Yes

N/A

Rogue Location Discovery Protocol (RLDP)

Might work depending on hops, WAN speed

Might work depending on hops, WAN speed

Might work depending on hops, WAN speed

No

Opportunistic Key Caching (OKC) Fast Roam

Yes

Yes

Yes

No(1)

FlexConnect Local Auth

N/A

Yes

Yes

Yes

AAA Override

Yes

Yes

Yes

Yes

static ACL

Yes

Yes(2)

No

Yes(2)

No

Yes(2)

No

per-user radius ACL

Yes (7.5)

Yes (7.5)

Yes (7.5)

No

L2 ACL

Yes (7.5)

Yes (7.5)

Yes (7.5)

Yes (7.5)

DNS ACL

Yes (7.6)

Yes (7.6)

No

No

P2P Blocking

Yes

Yes

Yes

Yes

Mesh LSC

N/A

N/A

N/A

N/A

Bring Your Own Device /ISE(BYOD)

Yes

Yes (7.2.110.0)

No

No

PCI Compliance for Neighbor Pkts

Yes

Yes

Yes

No

Russia DTLS Support

Yes

N/A

No

No

wIPS Enhanced Local Mode (ELM)

Yes

Yes

Yes

No

Limit Clients per WLAN

Yes

Yes(3)

Yes

No

Limit Clients per Radio

Yes

Yes

Yes

Yes

Client Exclusion Policy

Yes

Yes(3)

Yes

No

Radius NAC

Yes

Yes

No

No

TrustSec SXP

No

No

No

No

(1) Yes for clients that have association at Connected mode.(2) FlexConnect Access Control Lists (ACLs) should be used.(3) Limits/exclusion done by WLC so client will be deauthorized after a successful Association Response.

Voice & Video

This table lists the legacy and new Voice & Video services supported with WLC Release 7.0.116.0 and later with FlexConnect:

WAN Up (Central Switching) 100 ms RTT

WAN Up (Local Switching) 100 ms RTT

WAN Down (Standalone)

Voice

Yes with RTT 100 ms

Yes with RTT 100 ms

Yes with RTT 100 ms

Yes with RTT 900 ms (with CCKM and OKC)

Yes with RTT 900 ms (with CCKM and OKC)

QoS Markings(1)

Yes

Yes

Yes

QoS Per-User Bandwidth Contract

Yes(7.4)

Yes(7.5)

No

UAPSD

Yes

Yes

Yes

Voice Diagnostics

Yes

Yes

No

Voice Metrics

Yes

Yes

No

TSPEC /Call Admission Control (CAC)

Yes - non CCX

Yes - non CCX

No

Yes - CCX(2)

Yes - CCX(2)

(1) Includes both DSCP/dot1p markings.(2) CAC on WLC, deauthorization on roaming failure.

Services

This table lists the legacy and new services supported with WLC Release 7.0.116.0 and later with FlexConnect:

WAN Up (Central Switching)

WAN Up (Local Switching)

WAN Up (Local Switching, Local Authorization )

WAN Down (Standalone)

Internal Webauth

Yes

Yes

No

N/A

External Webauth

Yes (7.2.110.0)

Yes (7.2.110.0)

No

N/A

CleanAir (SI on 3500)

Yes

Yes

Yes

N/A

Multicast-Unicast (Videostream)

Yes (except on 7500, 8500 and vWLC)

Yes (8.0)

Yes (8.0)

Yes (8.0)

Location

Yes with BW/Scale limitation

Yes with BW /Scale limitation

Yes with BW /Scale limitation

N/A

Radio Ressource Management

Yes

Yes

Yes

No

NG RRM - RF Static Grouping

Yes(1)

Yes(1)

Yes

No

SE Connect (Cleanair Update)

Yes

Yes

Yes

No(2)

S60 Enhancement

Yes

Yes

Yes

No

Profiling

Yes

Yes

Yes

No

AVC

Yes

No

No

No

Bonjour Gateway

Yes

No

No

No

mDNS AP

Yes

No

No

No

LSS

Yes

No

No

No

Origin Based services

Yes

No

No

No

Priority MAC

Yes

No

No

No

Bonjour Browser

Yes

No

No

No

(1) Any RRM-specific requirements apply (at least 4 APs for TPC).(2) Yes for standalone after disconnecting from WLC, but no for reboot.

Infrastructure

WAN Up (Central Switching)

WAN Up (Local Switching)

WAN Down (Standalone)

Passive Clients

No

No

No

Proxy ARP

Yes (8.0)

Yes(8.0)

Yes(8.0)

Syslog

Yes

Yes

Yes

CDP

Yes

Yes

Yes

Client Link

Yes

Yes

Yes(2)

Load Balancing(3)

Yes (7.4)

Yes (7.4)

No

Band Select

Yes

Yes

No

AP Image PreDownload

Yes

Yes

No

FlexConnect Smart AP Image Upgrade

Yes

Yes

Yes(1)

AP Regularity Domain Updates (Chile)

Yes

Yes

Yes

VLAN Pooling/Mcast Optim.

Yes

N/A

N/A

Mesh - 24 backhaul

N/A

N/A

N/A

Cisco WGB Support

Yes

Yes (7.3)

No

3rd party WGB Support

Yes

Yes

Yes

Web Auth Proxy

Yes

Yes

No

FlexConnect AP Group Increase

Yes

Yes

Yes

Client fault tolerance

N/A

Yes

N/A

DHCP Option 60

Yes

Yes

Yes

DFS/802.11h

Yes

Yes

Yes

AP Group VLANs

Yes

N/A

N/A

(1) Provided if the Master AP is already upgraded and Slave APs are updated with their Master AP.

(2) Only on second-gen 11n APs and newer (1600,2600,3600, ...)

(3) FlexConnect APs do not send (re)association responses with status 17 for load-balancing as do Local mode APs; instead, they first send (re)association responses with status 0 (success) and then deauth with reason 5. This occurs as the AP handles the association locally and load-balancing decisions are taken at the WLC.

Note: The passive client feature is not supported on Flex APs; however, the APs do not do proxy ARP by default on FlexConnect (and that is a part of the passive client feature). On the contrary, proxy ARP was added as a feature for FlexConnect APs with Release 8.0 and later.

Mobility / Roaming Scenarios

WLAN Configuration

Local Switching

Central Switching

CCKM

PMK (OKC)

Others

CCKM

PMK (OKC)

Others

Mobility Between Same Flex Group

Fast Roam(1)

Fast Roam(1)

Full Auth(1)

Fast Roam

Fast Roam

Full Auth

Mobility Between Different Flex Group

Full Auth

Full Auth

Full Auth

Full Auth

Full Auth

Full Auth

Inter Controller Mobility

N/A

N/A

N/A

Full Auth

Fast Roam

Full Auth

(1) Provided WLAN is mapped to the same VLAN (same subnet).

Note: In order to support centralized access control through a centralized Authentication, Authorization, and Accounting (AAA) server, such as the Cisco Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis with the use of AAA Override attributes. In order to use this feature, the IPv6 ACL must be configured on the controller, and the WLAN must be configured with the AAA Override feature enabled. The AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name, similar to the Airespace-ACL-Name attribute used in order to provision an IPv4-based ACL. The AAA attribute-returned contents should be a string that is equal to the name of the IPv6 ACL, as configured on the controller.